internetsociety.org, isoc.org partial DNSSEC Outages:
2015-06-09 to 2015-06-15
Updated: June 25, 2015
Overview
This page gives some details on the internetsociety.org and isoc.org partial DNSSEC failures from June 9 through June 15, 2015.
Timeline / DNSViz (internetsociety.org)
- 2015-06-09 08:50:01 UTC — RRSIGs expire on ns-ext.nlnetlabs.nl
- 2015-06-09 14:45:24 UTC — some expired RRSIGs
- 2015-06-09 22:44:30 UTC — some expired RRSIGs
- 2015-06-10 04:28:11 UTC — some expired RRSIGs
- 2015-06-10 14:45:24 UTC — some expired RRSIGs
- 2015-06-10 22:44:50 UTC — some expired RRSIGs
- 2015-06-11 06:45:19 UTC — some expired RRSIGs
- 2015-06-11 14:44:35 UTC — some expired RRSIGs
- 2015-06-11 22:45:03 UTC — some expired RRSIGs
- 2015-06-12 06:45:25 UTC — some expired RRSIGs
- 2015-06-12 14:45:30 UTC — some expired RRSIGs
- 2015-06-12 22:44:44 UTC — some expired RRSIGs
- 2015-06-13 06:45:10 UTC — some expired RRSIGs
- 2015-06-13 14:44:35 UTC — some expired RRSIGs
- 2015-06-13 22:44:48 UTC — some expired RRSIGs
- 2015-06-14 06:45:35 UTC — some expired RRSIGs
- 2015-06-14 14:44:46 UTC — some expired RRSIGs
- 2015-06-14 22:45:33 UTC — some expired RRSIGs
- 2015-06-15 08:28:32 UTC — some expired RRSIGs
- 2015-06-15 08:51:54 UTC — end(ish)
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output:
OpenDNS & Google Public DNS (isoc.org)
OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under isoc.org during this outage.
With OpenDNS, queries succeed:
$ dig mail.isoc.org. @resolver1.opendns.com.
; <<>> DiG 9.4.2-P2 <<>> mail.isoc.org. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51012
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.isoc.org. IN A
;; ANSWER SECTION:
mail.isoc.org. 86400 IN CNAME mx1.emailsrvr.com.
mx1.emailsrvr.com. 27 IN A 173.203.187.1
;; Query time: 162 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Jun 14 16:54:26 2015
;; MSG SIZE rcvd: 78
With Google Public DNS, with DNSSEC, queries fail:
$ dig mail.isoc.org. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> mail.isoc.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3789
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.isoc.org. IN A
;; Query time: 212 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 14 16:54:18 2015
;; MSG SIZE rcvd: 31
dnscheck
dnscheck.iis.se archived a partial DNSSEC outage at 2015-06-13 17:45:52 (requires javascript).
dnscheck.labs.nic.cz archived a partial DNSSEC outage at 2015-06-13 17:46:28 (requires javascript).
Zonemaster
Zonemaster archived this internetsociety.org partial DNSSEC outage.
Twitter notice
@PCTuning_OW provided comments.
dns-operations list
Stephane Bortzmeyer wrote this: "A recent example was the break of isoc.org and internetsociety.org. A secondary name server was behind and served expired signatures. IMHO, the fault is 100 % on the ISOC side: they should monitor their own zones."